NHS England has shared an open letter to current suppliers across the health and care system, outlining the shared responsibility to strengthen cyber security, and plans for direct supplier engagement.
From January 2026, NHS England will be looking to contact suppliers directly to discuss current cyber security controls, requesting supporting information or evidence “where appropriate”, such as in instances where suppliers deliver services deemed to be critical to patient care or operational continuity.
“This is not an audit, and it is not a pass or fail exercise,” NHS England explains. “This programme is about identifying risk and working in partnership to agree proportionate remediation activity, that strengthens resilience for everyone.”
All suppliers are encouraged to review the Cyber Security Supply Chain Charter and the expectations it sets out around maintaining system support, vulnerability patching, using multi-factor authentication, maintaining “standards met” in the Data Security and Protection Toolkit, testing recovery plans, and ensuring effective monitoring of critical IT infrastructure.
Engagement may also be sought by NHS organisations holding contracts with suppliers, NHS England continues, adding: “Our goal is to work collaboratively, transparently, and with respect for existing relationships, ensuring suppliers are not surprised by requests for information and that the overall process is as efficient as possible.”
Further information will be released as it is made available, and any questions should be directed to england.cyber@nhs.net.
Earlier this month, the government updated its Cyber Action Plan, aiming to tackle “critically high” cyber risk as part of the Roadmap for Modern Digital Government, looking to move toward proactive action, clear accountability, mandatory requirements, and comprehensive central support. £210 million has been invested in forming a new Government Cyber Unit, to provide direction and expert support.
Late last year, the Cyber Security and Resilience (Network and Information Systems) Bill introduced regulation for companies providing IT and cyber services to the NHS “for the first time”, including reporting duties around cyber incidents and requirements for cyber mitigation plans. Given the trusted access these companies hold to critical national infrastructure, government, and business networks, the Bill outlines clear security duties that will need to be met moving forward. “This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences,” the Department for Science, Innovation and Technology states.
Wider trend: NHS cyber resilience
For a December panel discussion, we explored cyber resilience within the NHS, focusing on some of the strategic challenges in this area around preparedness and recovery. Our panellists also discussed how to embed resilience into clinical, technical, and governance frameworks and make cyber security a priority across the healthcare sector. We were joined by Hubert Ametefe, CISO at Bedfordshire Hospitals NHS FT; Mike Fell, director of national cyber operations at NHS England; Julian Wiggins, healthcare solution director at Rackspace Technology; and Nasser Arif, cyber security manager for London NW University Healthcare and The Hillingdon Hospitals.
Guidance from NHS England has outlined ways non-executive directors can contribute to keeping their organisation safe from cyber attack, with Jamie Saunders, non-executive chair of the NHS England Cyber Security Risk Committee, noting, “boards throughout the NHS have a key role to play in safeguarding patients from this risk.” The aim is to provide a resource to support, understand and deal with cyber security risks, and how external assessments provide insights, along with what questions to ask yourself, the board, and the questions the board should ask.
NHS England has shared plans for the reprocurement of the cyber operations external attack surface management system, launching a market engagement process. The engagement intends to brief the market ahead of procurement of a solution to protect IT systems that are internet-facing against cyber threats, with the scope to be delivered as a national service to NHS organisations. So far, NHS England has outlined how the solution should build on previous lessons learned, helping to reduce cyber risks and improve the overall understanding of security weaknesses within the NHS. It should also use “severity-based prioritisation of remediation” to address vulnerabilities and concerns, especially around exposed assets.
